b'                                            D E P A R T M E N T O F T H E T R E AS U R Y\n                                                    WASHINGTON, D.C. 20220\n\n\n\nINSPECTOR GENERAL\n      for TAX\n  ADMINISTRATION\n\n\n\n                                                       October 07, 2005\n\n\n       MEMORANDUM FOR Louis King\n                      Director, Information Technology Audits\n                      Office of the Treasury Inspector General\n\n       FROM:                           Michael R. Phillips\n                                       Deputy Inspector General for Audit\n\n       SUBJECT:                        Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                       Federal Information Security Management Act Report\n                                       for Fiscal Year 2005\n\n\n       We are pleased to submit the Treasury Inspector General for Tax Administration\xe2\x80\x99s\n       (TIGTA) Federal Information Security Management Act (FISMA)1 report for Fiscal\n       Year (FY) 2005. The attached spreadsheet presents our independent evaluation of the\n       status of information technology security at the Internal Revenue Service (IRS). Our\n       evaluation was based on Office of Management and Budget (OMB) reporting\n       guidelines.\n       During FY 2005, the IRS made strides toward improving security in the bureau. Most\n       significantly, the IRS developed a corporate approach to FISMA by elevating its FISMA\n       processes and procedures into an enterprise-wide program. A cross-organizational\n       FISMA working group was created, reporting to an Executive Steering Committee for\n       the development and effective collaboration of FISMA activities. The FISMA working\n       group developed a Concept of Operations, established security roles and\n       responsibilities, and identified budget and resource requirements. Executive position\n       descriptions now reflect security responsibilities. Additionally, a Security Program\n       Management Office was established within each business unit to provide guidance and\n       consistency across the IRS business units in implementing FISMA requirements. IRS\n       business unit owners were more involved in the annual self-assessments of\n       applications. In addition, the IRS developed new Plans Of Action and Milestones\n       (POA&M) and discarded those used in prior years. The new POA&M process should\n       enable the IRS to make risk-based, cost effective decisions to correct security\n       weaknesses.\n\n\n\n       1\n           The FISMA is part of the E Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301, 2002.\n\x0c                                                         2\n\nRecognizing that it will take time to achieve long-term improvements, we found that the\nprocess changes taken by the IRS have not yet had a positive effect on some\nmeasurements requested by the OMB. Specifically, we noted concerns with the IRS\xe2\x80\x99\nsystem inventory categorization, certification and accreditation, continuous monitoring,\ntracking corrective actions, training employees with key security responsibilities,\ncontractor oversight, and security configuration policies.\nAs a result, we believe that sufficient attention is not yet being given to the security of all\nsensitive systems and to contractor activities. The IRS continues to use a large number\nof systems containing sensitive taxpayer data that have been ranked as low risk, most\nof which have not been certified and accredited, and have not been adequately tested\non an annual basis.\nTo complete our review, we chose a representative subset of 17 systems including 7\ngeneral support systems2 and 10 major applications.3 We also evaluated certifications\nand accreditations for 10 systems, assessed whether employees with significant\nsecurity responsibilities were identified and sufficiently trained, and determined the\nextent of the IRS\xe2\x80\x99 oversight of contractors who have access to Federal tax data. Our\nconcerns are outlined below.\nSystems Inventory OMB guidance for the FY 2005 FISMA reporting states, \xe2\x80\x9cFISMA\napplies to information systems used or operated by an agency or a contractor of an\nagency or other organization on behalf of an agency. All systems meeting this definition\nshall be included in the report.\xe2\x80\x9d\nThe IRS has a total of 280 systems in its inventory which we believe should have been\nreported in its FY 2005 FISMA submission. However, the IRS reported 82 general\nsupport systems and major applications, which we believe is contrary to OMB guidance.\nThe IRS considers the remaining 199 systems to be non-major systems. The IRS\nassigned all of its non-major applications to a general support system with the\nassumption that the general support systems provide the majority of the security\ncontrols for the non-major applications. For its approach to be effective, the IRS must\nassess the risk of all systems, document the controls for each system, and assign\naccountability for the specific controls.\nFederal Information Processing Standards (FIPS) Publication 199, Standards for\nSecurity Categorization of Federal Information and Information Systems, requires that\nthe risk of all systems must be categorized as high, moderate, or low considering the\nconfidentiality, integrity, and availability requirements of the information processed by\nthe systems. National Institute of Standards and Technology (NIST) Special Publication\n800-60, Guide for Mapping Types of Information and Information Systems to Security\nCategories, must be used in categorizing the risk for the information systems. The IRS\napplied the FIPS 199 security categorization to all of its systems, however, the IRS did\n2\n  A general support system is an interconnected set of information resources under the same direct management\ncontrol that shares common functionality.\n3\n  A major application requires special management oversight because of the information it contains, processes, or\ntransmits, or because of its criticality to the organization\xe2\x80\x99s mission.\n\x0c                                            3\n\nnot use the guidance provided in NIST SP 800-60 in performing the risk categorization\nof its non-major systems. All non-major applications were ranked as low risk for\nconfidentiality, integrity, and availability even though several contained sensitive\ntaxpayer and employee information. NIST SP 800-60 states that taxpayer information\nshould be considered at least a moderate risk. The risk categorization is important\nbecause it helps determine the level of security controls needed for each system. By\nnot applying the NIST standards to the non-major applications, sufficient security\ncontrols may not be identified and implemented. The Chief, Mission Assurance and\nSecurity Services (MA&SS) advised that a priority for Fiscal Year 2006 will be to more\nthoroughly review and re-validate the currently assigned risk impact levels of its non-\nmajor applications, using the guidance provided in NIST SP 800-60.\nNational Institute of Standards and Technology (NIST) Special Publication 800-18,\nGuide for Developing Security Plans for Federal Information Systems, states that when\nnon-major applications are bundled with a general support system, the security\nrequirements for each of the non-major applications be included in the general support\nsystem\xe2\x80\x99s security plan. None of the general support system security plans we reviewed\naddressed specific controls for non-major applications nor assigned specific\naccountability for those controls.\nWhile the IRS\xe2\x80\x99 general support systems provide security controls to prevent hackers\nfrom entering the network, application-level controls are also critical to prevent\nunauthorized accesses to sensitive data by employees and contractors who already\nhave access to the IRS network. Since risk categorizations have not been applied\nusing NIST guidelines and because specific controls have not been documented and\naccountability for those controls has not been assigned, we are concerned that\nbusiness unit owners of non-major applications are relying too heavily on the general\nsupport system controls to protect sensitive data. Results of our review of certifications\nand accreditations and annual self-assessments described below add to our concerns.\nCertification and Accreditation NIST Special Publication 800-37, Guide for the\nSecurity and Accreditation of Federal Information Systems, requires that all systems\nmust be certified and accredited every three years or when major changes to systems\noccur. In the IRS, the Chief, MA&SS is the certifying authority for all systems. The\nChief, MA&SS must test the systems and provide the results to the business unit owner\nalong with the systems\xe2\x80\x99 security plans, and POA&Ms to correct weaknesses. Business\nunit owners must then evaluate the information and determine whether to accredit the\nsystem, thereby giving it an authority to operate. By accrediting the system, the\nbusiness unit owner accepts responsibility for the security of the system and is fully\naccountable for any adverse impacts if security breaches occur.\nThe IRS reported that 90 percent of its 82 general support systems and major\napplications were certified and accredited. However, if all systems were reported as we\nbelieve OMB requires, only 35 percent of its 280 systems should have been reported as\ncertified and accredited.\n\x0c                                            4\n\nWe conducted a more thorough review of 10 systems that had been certified and\naccredited to evaluate the IRS process. Our review included documentation for 6\ngeneral support systems and 4 major applications. During FY 2005, the IRS prioritized\nits efforts by focusing attention first on its general support systems. The IRS certified\nand accredited the general support systems in compliance with NIST standards, except\nsecurity plans did not include controls for the bundled non-major applications as we\ndiscussed earlier.\nThe IRS has recently begun to focus attention on improving the certification and\naccreditation process for its major applications. In our review of 4 major applications,\nSystem Security Plans and Security Test and Evaluation documents for major\napplications did not comply with NIST standards. Controls presented in the plans were\nnot sufficiently detailed and were not based on risk levels established by FIPS\nPublication 199. Tests did not include all system components such as encryption,\ntelecommunication links, and user account management. Only 16 percent of the\nsystems we reviewed showed that contingency plans had been tested. The IRS has not\nyet focused attention on the certification and accreditation process for its non-major\napplications.\nContinuous Monitoring In addition to certifying and accrediting systems every three\nyears, NIST 800-37 requires that a system of continuous monitoring of systems be in\nplace. System owners must complete a self-assessment required by NIST at least\nannually.\nIn our opinion, self-assessments conducted by the IRS using NIST SP 800-26 did not\ninclude adequate testing of application controls. System owners often referred only to\nthe general support system controls to address security elements that should have been\nreviewed at the application level. For example, a question on the self-assessment for a\nmajor application, the Tax Return Data Base asks, \xe2\x80\x9cAre personnel files matched with\nuser accounts to ensure that terminated or transferred individuals do not retain system\naccess?\xe2\x80\x9d The response stated that controls are implemented and the scoring is based\non a composite score of several general support systems. The IRS responded similarly\nto questions regarding password controls and audit trails for the Combined Annual\nWage Reporting, a major application that allows the IRS and the Social Security\nAdministration (SSA) to improve the accuracy of annual wage data reported by\ncomparing tax payments on IRS and SSA forms. In each of these examples, no\nreferences were made in the self-assessment document to the application controls, only\nto the controls of the general support system.\nWe found in our representative subset of 17 systems, that 9 systems (53 percent) had\nbeen certified during FY 2005. We considered these systems to have been tested and\nevaluated in FY 2005.\nTracking Corrective Actions As previously mentioned, during FY 2005 the IRS\nrevised its POA&M process and we are hopeful that the changes will be effective. The\nIRS advised that it is tracking all security weaknesses in a database and developing\nPOA&Ms for the high priority weaknesses that they can address with available\n\x0c                                             5\n\nresources. Since the POA&Ms were not completed by the IRS until early September\n2005, we did not have an opportunity to evaluate the IRS\xe2\x80\x99 prioritization of weaknesses.\nWe were able to determine that the POA&Ms:\n   \xe2\x80\xa2   include weaknesses from IRS internal reviews, as well as most TIGTA and\n       Government Accountability Office reviews.\n   \xe2\x80\xa2   are tailored to specific applications and no longer capture standard, repetitive\n       wording as they did in past years.\n   \xe2\x80\xa2   indicate that the IRS appears to have analyzed and prioritized weaknesses and\n       have included corrective actions in the POA&Ms.\nWhile additional refinements will be made during the coming year, we find the progress\nmade in this area noteworthy.\nTraining Employees with Key Security Responsibilities The OMB requires that all\nemployees with key security responsibilities be given security-related training at least\nannually. In FY 2004, we reported that the Office of Mission Assurance and Security\nServices did not have an adequate tracking process in place to ensure all employees\nwith significant security responsibilities were identified and trained. As a result, the IRS\ndid not accurately identify the number of employees with significant security\nresponsibilities or the number of employees trained.\nIn FY 2005, security awareness training was provided to all of its employees and\ncontractors. In its FY 2005 FISMA submission, the IRS reported it has 2,737\nemployees with significant information technology security responsibilities and that 300\n(11 percent) of those employees received specialized training. We could not verify this\ninformation since the IRS still has no tracking system in place to identify persons with\nsignificant security responsibilities and the specialized training completed. The IRS\nadvised that it plans to implement a tracking system in FY 2006.\nIn prior audits, we have attributed several security weaknesses to a lack of adequate\ntraining for system administrators. Since only 11 percent of these employees have\nbeen trained this year according to the IRS, we expect these weaknesses to persist.\nOversight of Contractors FY 2005 OMB guidance for completing the agency and\nInspector General FISMA reports states that agency IT security programs apply to all\norganizations which possess or use Federal information, or which operate, use, or have\naccess to Federal information systems on behalf of a Federal agency. Such other\norganizations may include contractors, grantees, State and local governments, industry\npartners, etc. FISMA guidelines emphasize OMB longstanding policy concerning\nsharing government information and interconnecting systems. Therefore, Federal\nsecurity requirements continue to apply and the agency is responsible for ensuring\nappropriate security controls. Agencies must develop policies for information security\noversight of contractors and other users with privileged access to Federal data. We\nbelieve the following conditions indicate a need for significantly increased IRS oversight\nof contractors and state agencies that have access to Federal tax data.\n\x0c                                                        6\n\nWe conducted a separate review this year of the monitoring of contractor access to\nnetworks and data.4 The overall objective of this review was to determine whether IRS\nmanagement implemented adequate controls over the PRIME contractor\xe2\x80\x99s5 access to\nIRS networks and data. We found the IRS gave the PRIME contractor the authority to\nadd, delete, and modify its own employees\xe2\x80\x99 user accounts on IRS systems. Our review\nshowed that the PRIME contractor added user accounts without any oversight by the\nIRS during at least a 1-year period.\nWe also conducted a separate review to determine whether State tax agencies were\nprotecting Federal tax information provided by the IRS from unauthorized use and\ndisclosure.6 Internal Revenue Code (I.R.C.) 6103 requires the IRS to disclose Federal\ntax information to various state and Federal agencies. State tax agencies can use this\ninformation to identify non-filers of State tax returns, determine discrepancies in the\nreporting of income, locate delinquent taxpayers, and determine whether IRS\nadjustments have State tax consequences. The IRS is responsible for ensuring that\nState tax agencies properly safeguard federal tax information. To do this, the IRS\xe2\x80\x99\nSafeguard Program encompasses reviewing and approving Safeguard Procedures and\nSafeguard Activity Reports submitted by State tax agencies and conducting on-site\nSafeguard Reviews of each state tax agency at least once every 3 years. Based on the\ninstructions published by the OMB, it is our opinion that, as users of vast amounts of\nFederal tax data, the States should be required to protect that data in accordance with\nFISMA requirements. Accordingly, State agencies should be required to conduct\nannual self-assessments using NIST Special Publication 800-26 and to track and\nmonitor corrective actions using POA&Ms.\nHowever, the IRS does not require State agencies to conduct self-assessments of its\nsystems using NIST Special Publication 800-26 and does not require them to monitor\nand track corrective actions using POA&Ms. In addition, the IRS has not provided\nsufficient and timely reviews over the security of Federal tax information maintained by\nthe States. The IRS believes that States are not required to comply with FISMA\nrequirements because they do not use the Federal tax data they receive on behalf of\nthe IRS.\nSecurity Configuration Policies Detailed security testing results were not provided\nfor our review for any systems. Therefore, we could not evaluate the extent of\nimplementation of the security configuration policies.\nIf you have any questions, please contact me or Margaret E. Begg, Assistant Inspector\nGeneral for Audit (Information Systems Programs), at (202) 622-8510.\n\n4\n  Monitoring of PRIME Contractor Access to Networks and Data Needs to Be Improved (Reference\nNumber 2005-20-185, dated September 2005).\n5\n  The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology\ncompanies brought together to assist with the IRS\xe2\x80\x99 efforts to modernize its computer systems and related\ninformation technology.\n6\n  Increased IRS Oversight of State agencies Is Needed to Ensure Federal Tax Information Is Protected (Reference\nNumber 2005-20-184, dated September 2005).\n\x0c                 7\n\n\n\nDetails of the TIGTA\xe2\x80\x99s FISMA Analysis\n\x0c                                                                  Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n                                                                                       Agency Name:\n                                                                                      Question 1 and 2\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or\nother organization on behalf of an agency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this\nevaluation for each classification below (a., b., and c.).\n             To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n             1) Continue to use NIST Special Publication 800-26, or,\n             2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n             Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting\n             by contractors does not meet the requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service\n             providers have a shared responsibility for FISMA compliance.\n2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau, in the format provided below. From the representative subset of systems\nevaluated, identify the number of systems which have completed the following: have a current certification and accreditation , a contingency plan tested within the past year, and\nsecurity controls tested within the past year.\n                                                                                         Question 1                                                          Question 2\n                                                                        a.                    b.                      c.                   a.                     b.                     c.\n                                                                 FY 05 Agency         FY 05 Contractor FY 05 Total Number              Number of       Number of systems Number of systems\n                                                                     Systems              Systems                of Systems        systems certified for which security              for which\n                                                                                                                                    and accredited     controls have been contingency plans\n                                                                                                                                                            tested and         have been tested in\n                                                                                                                                                       evaluated in the last accordance with\n                                                                                                                                                                 year          policy and guidance\n\n\n                                     FIPS 199 Risk Impact       Total     Number   Total    Number  Total    Number   Total   Percent Total   Percent of Total   Percent of\nBureau Name                                  Level             Number    Reviewed Number Reviewed Number Reviewed Number of Total Number        Total    Number    Total\nBureau                                  High                           2         2        0       0        2        2       2 100.0%        0      0.0%        2    100.0%\n                                        Moderate                      79       15         8       3       79      15       13 86.6%         9     60.0%        3     20.0%\n                                        Low                            1         0        3       0        1        0       0   0.0%        0      0.0%        0      0.0%\n                                        Not Categorized                                   1       0\n                                    Sub-total                         82       17        12       3       82      17       15  88.2%        9     52.9%        5     29.4%\nAgency Totals                           High                            2           2          0          0           2          2          2 100.0%             0       0.0%          2      100.0%\n                                       Moderate                       79           15          8          3         79          15         13    86.6%           9      60.0%          3       20.0%\n                                       Low                             1            0          3          0          1           0          0     0.0%           0       0.0%          0        0.0%\n                                       Not Categorized                 0            0          1          0\n                                    Total                             82           17         12          3         82          17         15    88.2%           9      52.9%          5       29.4%\n                                                                                           Question 3\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n                3.a.                The agency performs oversight and evaluation to ensure information systems used or operated by a          - Rarely, for example, approximately 0-50% of the\n                                    contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, time"\n                                    OMB policy and NIST guidelines, national security policy, and agency policy. Self-reporting of NIST\n                                    Special Publication 800-26 requirements by a contractor or other organization is not sufficient, however,\n                                    self-reporting by another Federal agency may be sufficient.\n                                    Response Categories:\n                                           - Rarely, for example, approximately 0-50% of the time\n                                           - Sometimes, for example, approximately 51-70% of the time\n                                           - Frequently, for example, approximately 71-80% of the time\n                                           - Mostly, for example, approximately 81-95% of the time\n                                           - Almost Always, for example, approximately 96-100% of the time\n\x0c                                    The agency has developed an inventory of major information systems (including major national security\n                                    systems) operated by or under the control of such agency, including an identification of the interfaces\n                                    between each such system and all other systems or networks, including those not operated by or under\n                                    the control of the agency.\n                                    Response Categories:\n               3.b.                       - Approximately 0-50% complete                                                                             - Approximately 96-100% complete\n                                          - Approximately 51-70% complete\n                                          - Approximately 71-80% complete\n                                          - Approximately 81-95% complete\n                                          - Approximately 96-100% complete\n               3.c.                 The OIG generally agrees with the CIO on the number of agency owned systems.                                                        No\n\n               3.d.                 The OIG generally agrees with the CIO on the number of information systems                                                          No\n                                    used or operated by a contractor of the agency or other organization on behalf of the agency.\n               3.e.                 The agency inventory is maintained and updated at least annually.                                                                   Yes\n                3.f.                The agency has completed system e-authentication risk assessments.                                                                  Yes\n                                                                                             Question 4\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M)\nprocess. Evaluate the degree to which the following statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary,\ninclude comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n       - Rarely, for example, approximately 0-50% of the time\n       - Sometimes, for example, approximately 51-70% of the time\n       - Frequently, for example, approximately 71-80% of the time\n       - Mostly, for example, approximately 81-95% of the time\n       - Almost Always, for example, approximately 96-100% of the time\n               4.a.                 The POA&M is an agency wide process, incorporating all known IT security weaknesses associated              - Almost Always, for example, approximately 96-\n                                    with information systems used or operated by the agency or by a contractor of the agency or other          100% of the time\n               4.b.                 Wheni antiIT security\n                                                    b h weakness\n                                                          lf f th is identified, program officials (including CIOs, if they own or operate a    - Almost Always, for example, approximately 96-\n                                    system) develop, implement, and manage POA&Ms for their system(s).                                         100% of the time\n               4.c.                 Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their - Almost Always, for example, approximately 96-\n               4.d.                      di ti\n                                    CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                 100%  f thAlways,\n                                                                                                                                                 - Almost    ti      for example, approximately 96-\n               4.e.                 OIG findings are incorporated into the POA&M process.                                                        100%  f th  ti for example, approximately 71-80% of\n                                                                                                                                                 - Frequently,\n               4.f.                 POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses          - Almost Always, for example, approximately 96-\n                                    are addressed in a timely manner and receive appropriate resources                                         100% of the time\nComments: Question 1.a - The IRS has a total of 280 systems, 199 of which are non-major applications. IRS is reporting only its 82 major systems, which we believe is contrary to OMB\nguidance which requires that all systems be reported. To be consistent with other Treasury bureaus, we are including 82 in our template. However, we selected our representative subset of\nsystems from the population of 280 systems. Questions 1.b & 1.c - IRS has 12 contractor support functions that require oversight. We have reported these in Question 1.b; however, since these\nare not systems, they are not reflected in the total in Question 1.c. Question 2.a - The IRS reported that it has certified and accredited 90% of its major systems. However, only 35 percent of its\n280 systems have been certified and accredited. Question 2.b - Self-Assessment performance levels for Major Applications are often based on the performance level for the associated GSS\nQuestion 3.a - We reviewed 3 off IRS\' 12 contractor systems and found IRS\' reviews to be generally adequate. We conducted separate reviews this year of IRS\'s monitoring of contractor access\nto networks and data and whether State agencies adequately protect federal tax data. These reviews showed the need for significantly increased oversight by the IRS of contractors and State\nagencies. Question 3.c - As stated in the comments for Question 1.a, we disagree that IRS should report only its major systems in its FISMA report. Question 3.d. We believe OMB guidance\nrequires IRS to include State agencies that receive Federal Tax Information as contractors.\n\n                                                                                             Question 5\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including\nadherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information\nSystems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This includes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal\nInformation and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans.\n\x0c                                   Assess the overall quality of the Department\'s certification and accreditation process.                 - Satisfactory\n                                   Response Categories:\n                                        - Excellent          - Good        - Satisfactory         - Poor         - Failing\n\n\nComments: Question 5 - IRS prioritized its C&A efforts by focusing attention first on its General Support Systems (GSS) during FY 2005 and has recently begun to focus attention on\nimprovement of the C&A process for its MAs. We found the C&A documentation for the GSSs was generally in compliance with NIST standards; however, application controls for non-major\nsystems were not sufficiently addressed in the GSS security plans. C&A documentation for the MAs needs improvement. System Security Plans and Security Test and Evaluation documents\nfor MAs generally did not comply with NIST standards. Controls presented in the plans were not sufficiently detailed and were not based on FIPS 199 security impact levels. Tests did not include\nall system components such as encryption, datacom links and user account management.\n\x0c                                                                  Section B: Inspector General. Question 6, 7, 8, and 9.\n                                                                                     Agency Name:\n                                                                                            Question 6\n       6.a.             Is there an agency wide security configuration policy? Yes or No.                                                               Yes\n                        Comments:\n       6.b.             Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n                        Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on\n                        the systems running the software.\n                                                                 Addressed in agencywide         Do any agency systems     Approximate the extent of implementation of the security\n                                                                         policy?                   run this software?      configuration policy on the systems running the software.\n                                                                                                                           Response choices include:\n                                                                                                                           - Rarely, or, on approximately 0-50% of the\n                                                                                                                             systems running this software\n                                                                            Yes, No,                     Yes or No.        - Sometimes, or on approximately 51-70% of\n                                                                             or N/A.                                         the systems running this software\n           Product                                                                                                         - Frequently, or on approximately 71-80% of\n                                                                                                                             the systems running this software\n                                                                                                                           - Mostly, or on approximately 81-95% of the\n                                                                                                                             systems running this software\n                                                                                                                           - Almost Always, or on approximately 96-100% of the\n                                                                                                                           systems running this software\n\n\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Windows XP Professional\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Windows NT\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Windows 2000 Professional\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Windows 2000 Server\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Windows 2003 Server\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Solaris\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              HP-UX\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Linux\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Cisco Router IOS\n                                                                               Yes                          Yes            running this software\n                                                                                                                                 - Rarely, or, on approximately 0-50% of the systems\n              Oracle\n                                                                               Yes                          Yes            running this software\n            Other. Specify:\nComments: Detailed security testing results were not provided for our review for any systems. Therefore, we rated the extent of implementation of the security\nconfiguration policy as Rarely, or, on approximately 0-50% o f the systems running each software product.\n\n                                                                                            Question 7\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n       7.a.             The agency follows documented policies and procedures for identifying and reporting                                             Yes\n                        incidents internally. Yes or No.\n\x0c      7.b.        The agency follows documented policies and procedures for external reporting to law                                  Yes\n                  enforcement authorities. Yes or No.\n                  The agency follows defined procedures for reporting to the United States Computer\n       7.c.                                                                                                                            Yes\n                  Emergency Readiness Team (US-CERT). http://www.us-cert.gov. Yes or No.\nComments:\n                                                                           Question 8\n        8         Has the agency ensured security training and awareness of all employees, including      - Rarely, or, approximately 0-50% of employees have sufficient\n                                                                                                          training\n                  contractors and those employees with significant IT security responsibilities?\n                  Response Choices include:\n                  - Rarely, or, approximately 0-50% of employees have sufficient training\n                   - Sometimes, or approximately 51-70% of employees have sufficient training\n                   - Frequently, or approximately 71-80% of employees have sufficient training\n                   - Mostly, or approximately 81-95% of employees have sufficient training\n                   - Almost Always, or approximately 96-100% of employees have sufficient training\nComments: IRS has provided security awareness training to all of its employees and contractors. IRS reported it has 2737 employees with significant IT\nsecurity responsibilities and that 300 of those received specialized training. We could not verify this information because IRS currently has no tracking\nmechanisms to identify persons with significant security responsibilities and the specialized training they received. IRS expects to have these controls\nimplemented during FY 2006.\n                                                                           Question 9\n        9         Does the agency explain policies regarding peer-to-peer file sharing in IT security                                  Yes\n                  awareness training, ethics training, or any other agency wide training?\n                  Yes or No.\n\x0c'